Analysis
-
max time kernel
114s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-07-2021 05:27
General
-
Target
7.exe
-
Size
917KB
-
MD5
3a5c4b65bb4f78ea617ea542d1d9d949
-
SHA1
9d561008de64c07630e543025b2923998c89dfef
-
SHA256
27dd279fa5720fd391fb0b32caad51f90244c7c16a11944c0e337a1ccb4badfd
-
SHA512
299047236954b528d6378a68580dfd03ac6399bd0d1b04a564e1b78e270dccc748901d8170888c2bc3e3656c3e79e016fccd156b31224adbfaeec69a127a2a61
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.mundi.hr - Port:
587 - Username:
report@mundi.hr - Password:
P@1625330275
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7.exe"C:\Users\Admin\AppData\Local\Temp\7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fqevlod.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fqevlod" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3087.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fqevlod.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7.exe"C:\Users\Admin\AppData\Local\Temp\7.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\7.exe"C:\Users\Admin\AppData\Local\Temp\7.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b00199d6c70589986ed915732ec58307
SHA1608b410243a92aeed716015fc4a443bc33236720
SHA25691c352b521fe091acfc322329bc32a74451f0fda42726bbd53d961e24454a08c
SHA512b7b5b552feb5c543ae32739bb9c4763c4411210a4e12704a3ce721fd00aba4727eaf0693e57ea3e8b16101b9148dd2d48e550353f0433e3fc31b362048e307e8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
2a329386db17494ac0702b07f754cd50
SHA10c0ba7efd8ea7f058d2987e97bf3c32e9fc71c82
SHA2566dab36561f4ce7bda03ba5f0f176ca352a900328a88529968a8935fdf0b3bd75
SHA51220b8f7aba38d7caf669e44ded300cc66e88b9f2efdc8a958d2aecd7ec3ea45bc741ecd6d317836b487731528c1be2f761916af600865b16560bcfdb0888189cf
-
C:\Users\Admin\AppData\Local\Temp\tmp3087.tmpMD5
005ca184a14f89620c65c38188ce16d8
SHA180df2bf9c9ff5536c71bbfd3bc69fa7511c60029
SHA2562d8a3936a1d851f450cd89a4db75e4bc0dadb282d49477d9a00c17c89b944fdc
SHA51243ce9d149eafb54a8d89386cc4831416203bb6c50e2288852bbe23a8a2f12f2c508ecf79d2fad2594bf2201d87eea995888d07a2dfaf5d4f5ff4825039bd00a6
-
memory/772-121-0x0000000004A80000-0x0000000004F7E000-memory.dmpFilesize
5.0MB
-
memory/772-120-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/772-119-0x00000000049B0000-0x00000000049B1000-memory.dmpFilesize
4KB
-
memory/772-122-0x0000000004D60000-0x0000000004D7B000-memory.dmpFilesize
108KB
-
memory/772-123-0x00000000009E0000-0x0000000000A45000-memory.dmpFilesize
404KB
-
memory/772-124-0x0000000000A50000-0x0000000000A76000-memory.dmpFilesize
152KB
-
memory/772-118-0x0000000004B20000-0x0000000004B21000-memory.dmpFilesize
4KB
-
memory/772-114-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/772-117-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/772-116-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB
-
memory/1612-127-0x0000000000000000-mapping.dmp
-
memory/2120-133-0x00000000078D0000-0x00000000078D1000-memory.dmpFilesize
4KB
-
memory/2120-245-0x0000000004F03000-0x0000000004F04000-memory.dmpFilesize
4KB
-
memory/2120-207-0x000000007EED0000-0x000000007EED1000-memory.dmpFilesize
4KB
-
memory/2120-167-0x00000000080A0000-0x00000000080A1000-memory.dmpFilesize
4KB
-
memory/2120-143-0x00000000076F0000-0x00000000076F1000-memory.dmpFilesize
4KB
-
memory/2120-145-0x0000000007F00000-0x0000000007F01000-memory.dmpFilesize
4KB
-
memory/2120-146-0x0000000007F70000-0x0000000007F71000-memory.dmpFilesize
4KB
-
memory/2120-150-0x00000000082B0000-0x00000000082B1000-memory.dmpFilesize
4KB
-
memory/2120-158-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/2120-160-0x0000000004F02000-0x0000000004F03000-memory.dmpFilesize
4KB
-
memory/2120-130-0x0000000004DB0000-0x0000000004DB1000-memory.dmpFilesize
4KB
-
memory/2120-125-0x0000000000000000-mapping.dmp
-
memory/2120-169-0x00000000089F0000-0x00000000089F1000-memory.dmpFilesize
4KB
-
memory/2724-139-0x000000000041F86E-mapping.dmp
-
memory/2724-165-0x00000000052E0000-0x00000000057DE000-memory.dmpFilesize
5.0MB
-
memory/2724-173-0x00000000065B0000-0x00000000065B1000-memory.dmpFilesize
4KB
-
memory/2724-138-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2848-166-0x0000000004B12000-0x0000000004B13000-memory.dmpFilesize
4KB
-
memory/2848-164-0x0000000004B10000-0x0000000004B11000-memory.dmpFilesize
4KB
-
memory/2848-247-0x0000000004B13000-0x0000000004B14000-memory.dmpFilesize
4KB
-
memory/2848-196-0x0000000009500000-0x0000000009533000-memory.dmpFilesize
204KB
-
memory/2848-203-0x000000007EBE0000-0x000000007EBE1000-memory.dmpFilesize
4KB
-
memory/2848-215-0x00000000094E0000-0x00000000094E1000-memory.dmpFilesize
4KB
-
memory/2848-137-0x0000000000000000-mapping.dmp
-
memory/3336-126-0x0000000000000000-mapping.dmp
-
memory/3336-244-0x000000007EA60000-0x000000007EA61000-memory.dmpFilesize
4KB
-
memory/3336-250-0x0000000004EF3000-0x0000000004EF4000-memory.dmpFilesize
4KB
-
memory/3336-175-0x0000000008B30000-0x0000000008B31000-memory.dmpFilesize
4KB
-
memory/3336-163-0x0000000004EF2000-0x0000000004EF3000-memory.dmpFilesize
4KB
-
memory/3336-162-0x0000000004EF0000-0x0000000004EF1000-memory.dmpFilesize
4KB